• How Adversaries Can Persist with AWS User Federation🔍
• How Adversaries Can Persist with AWS User Federation 🔍
• Veza on LinkedIn🔍
• Gaining AWS Persistence by Updating a SAML Identity Provider🔍
• Identity Security🔍
• AWS IAM Persistence Methods🔍
• Strategies Used by Adversaries to Steal Application Access Tokens🔍
• How adversaries infiltrate AWS cloud accounts🔍

How Adversaries Can Persist with AWS User Federation - CrowdStrike

The technique requires that the adversary first obtain valid AWS API credentials with the necessary security token service (STS) and identity ...

How Adversaries Can Persist with AWS User Federation : r/crowdstrike

33K subscribers in the crowdstrike community. Welcome to the CrowdStrike subreddit. CrowdStrike Falcon offers cloud-delivered solutions ...

How Adversaries Can Persist with AWS User Federation

In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account. ... The adversary can ...

Veza on LinkedIn: How Adversaries Can Persist with AWS User ...

Contrary to popular belief, deactivating a user in AWS is not enough to keep threat actors from accessing their privilege. Federated sessions are a ...

How Adversaries Can Persist with AWS User Federation - LinkedIn

Excited to share this blog post I wrote with my teammate Joel Eng on how adversaries can establish persistence in an #AWS account using ...

Gaining AWS Persistence by Updating a SAML Identity Provider

When an attacker compromises an AWS account, one of the first tactics they will try is gaining persistence. This is because, in many cases, ...

Identity Security: The problem(s) with federation | SlashID Blog

However, attackers can exploit identity federation to breach organizations or maintain persistence in a system. This blog post explores ...

AWS IAM Persistence Methods - Hacking The Cloud

An adversary with the iam:CreateLoginProfile permission can create login profiles for other users (specifying the password of their choosing).

Strategies Used by Adversaries to Steal Application Access Tokens

Federated tokens which allow users to assume temporary credentials, can give users extensive permissions which can unintentionally open doors to ...

How adversaries infiltrate AWS cloud accounts - Red Canary

Once the adversary has access to the IAM user account via the AKIA key and their backup ASIA short term tokens (generated via STS), they can ...

Account Manipulation: Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Survive Access Key Deletion with sts:GetFederationToken

How Adversaries Can Persist with AWS User Federation. Required IAM ... To create temporary IAM credentials using sts:GetFederationToken , you can ...

AWS Identity Federation and Least Privilege – Friends or Foes? - Blog

When utilizing AWS IAM federation, the roles defined to allow federated users access to AWS resources are a classic single point of failure ( ...

Compromising Identity Provider Federation - CrowdStrike

CrowdStrike's Incident Response team has seen a recent increase in cases involving adversaries that abuse identity provider federation to ...

Best Practices for AWS Identity Federation | by Christopher Adamson

Enforce short session durations and multi-factor authentication through the identity provider. Continuously monitor access by enabling AWS ...

Identity and Access Management: Recommended Best Practices for ...

Effective identity governance can mitigate the impacts of many prevalent IAM threats: ... Adversaries, both internal and external threat ...

T1098.001 - Account Manipulation: Additional Cloud Credentials

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the ...

AWS STS Role Assumption by User | Elastic Security Solution [8.16]

Identifies when a user or role has assumed a role in AWS Security Token Service (STS). Users can assume a ...

IAM user, group, or role should restrict IAM access key permissions

There is an IAM user, group, or role that can create, manage, query, and delete access keys without restriction. Such privileges should be strictly controlled.

Enterprise Techniques - MITRE ATT&CK®

An adversary may add additional roles or permissions to an adversary-controlled user or service account to maintain persistent access to a container ...